Transcription of Amazon Virtual Private Cloud Connectivity Options …
1 Amazon Virtual PrivateCloud Connectivity OptionsAWS WhitepaperAmazon Virtual Private CloudConnectivity Options AWS WhitepaperAmazon Virtual Private Cloud Connectivity Options : AWS WhitepaperCopyright 2018 Amazon Web Services, Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or service that is not Amazon 's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon . All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored Virtual Private CloudConnectivity Options AWS WhitepaperTable of ContentsIntroduction .. 1 Abstract .. 1 Introduction .. 1 Network-to- Amazon VPC Connectivity Options .. 3 AWS Managed VPN .. 4 Additional Resources .. 6 AWS Direct Connect .. 6 Additional Resources.
2 8 AWS Direct Connect Plus VPN .. 8 Additional Resources .. 9 AWS VPN CloudHub .. 9 Additional Resources .. 10 Software VPN .. 11 Additional Resources .. 12 Transit VPC .. 12 Additional Resources .. 13 Amazon VPC-to- Amazon VPC Connectivity Options .. 14 VPC Peering .. 15 Additional Resources .. 16 Software VPN .. 17 Additional Resources .. 18 Software-to-AWS Managed VPN .. 18 Additional Resources .. 19 AWS Managed VPN .. 19 Additional Resources .. 21 AWS Direct Connect .. 21 Additional Resources .. 22 AWS PrivateLink .. 23 Additional Resources .. 23 Internal User-to- Amazon VPC Connectivity Options .. 24 Software Remote-Access VPN .. 24 Additional Resources .. 27 Appendix: High-Level HA Architecture for Software VPN Instances .. 28 VPN 29 Resources .. 30 Document 31 Document History .. 31 AWS Glossary .. 32iiiAmazon Virtual Private CloudConnectivity Options AWS WhitepaperAbstractIntroductionPublicatio n date: January 2018 (Document Details (p.))
3 31))AbstractAmazon Virtual Private Cloud ( Amazon VPC) lets customers provision a Private , isolated section ofthe Amazon Web Services (AWS) Cloud where they can launch AWS resources in a Virtual networkusing customer-defined IP address ranges. Amazon VPC provides customers with several Options forconnecting their AWS Virtual networks with other remote networks. This document describes severalcommon network Connectivity Options available to our customers. These include Connectivity Options forintegrating remote customer networks with Amazon VPC and connecting multiple Amazon VPCs into acontiguous Virtual whitepaper is intended for corporate network architects and engineers or Amazon VPCadministrators who would like to review the available Connectivity Options . It provides an overviewof the various Options to facilitate network Connectivity discussions as well as pointers to additionaldocumentation and resources with more detailed information or VPC provides multiple network Connectivity Options for you to leverage depending on yourcurrent network designs and requirements.
4 These Connectivity Options include leveraging either theinternet or an AWS Direct Connect connection as the network backbone and terminating the connectioninto either AWS or user-managed network endpoints. Additionally, with AWS, you can choose hownetwork routing is delivered between Amazon VPC and your networks, leveraging either AWS or user-managed network equipment and routes. This whitepaper considers the following Options with anoverview and a high-level comparison of each:Network-to- Amazon VPC Connectivity Options (p. 3) the section called AWS Managed VPN (p. 4) Describes establishing a VPN connection fromyour network equipment on a remote network to AWS managed network equipment attached to yourAmazon VPC. the section called AWS Direct Connect (p. 6) Describes establishing a Private , logical connectionfrom your remote network to Amazon VPC, leveraging AWS Direct Connect.
5 The section called AWS Direct Connect Plus VPN (p. 8) Describes establishing a Private ,encrypted connection from your remote network to Amazon VPC, leveraging AWS Direct Connect. the section called AWS VPN CloudHub (p. 9) Describes establishing a hub-and-spoke model forconnecting remote branch offices. the section called Software VPN (p. 11) Describes establishing a VPN connection from yourequipment on a remote network to a user-managed software VPN appliance running inside anAmazon VPC. the section called Transit VPC (p. 12) Describes establishing a global transit network on AWSusing Software VPN in conjunction with AWS managed VPC-to- Amazon VPC Connectivity Options (p. 14)1 Amazon Virtual Private CloudConnectivity Options AWS WhitepaperIntroduction the section called VPC Peering (p. 15) Describes the AWS-recommended approach forconnecting multiple Amazon VPCs within and across regions using the Amazon VPC peering feature.
6 The section called Software VPN (p. 17) Describes connecting multiple Amazon VPCs usingVPN connections established between user-managed software VPN appliances running inside of eachAmazon VPC. the section called Software-to-AWS Managed VPN (p. 18) Describes connecting multipleAmazon VPCs with a VPN connection established between a user-managed software VPN appliance inone Amazon VPC and AWS managed network equipment attached to the other Amazon VPC. the section called AWS Managed VPN (p. 19) Describes connecting multiple Amazon VPCs,leveraging multiple VPN connections between your remote network and each of your Amazon VPCs. the section called AWS Direct Connect (p. 21) Describes connecting multiple Amazon VPCs,leveraging logical connections on customer-managed AWS Direct Connect routers. the section called AWS PrivateLink (p. 23) Describes connecting multiple Amazon VPCs,leveraging VPC interface endpoints and VPC endpoint User-to- Amazon VPC Connectivity Options (p.)
7 24) the section called Software Remote-Access VPN (p. 24) In addition to customer network to Amazon VPC Connectivity Options for connecting remote users to VPC resources, this section describesleveraging a remote-access solution for providing end-user VPN access into an Amazon Virtual Private CloudConnectivity Options AWS WhitepaperNetwork-to- Amazon VPCC onnectivity OptionsThis section provides design patterns for you to connect remote networks with your Amazon VPCenvironment. These Options are useful for integrating AWS resources with your existing on-site services(for example, monitoring, authentication, security, data or other systems) by extending your internalnetworks into the AWS Cloud . This network extension also allows your internal users to seamlesslyconnect to resources hosted on AWS just like any other internally facing Connectivity to remote customer networks is best achieved when using non-overlapping IP rangesfor each network being connected.
8 For example, if you d like to connect one or more VPCs to your homenetwork, make sure they are configured with unique Classless Inter-Domain Routing (CIDR) advise allocating a single, contiguous, non-overlapping CIDR block to be used by each VPC. Foradditional information about Amazon VPC routing and constraints, see the Amazon VPC FrequentlyAsked CaseAdvantagesLimitationsthe section called AWS ManagedVPN (p. 4)AWS managed IPsecVPN connection overthe internetReuse existing VPNequipment andprocessesReuse existing internetconnectionsAWS managed endpointincludes multi-datacenter redundancy andautomated failoverSupports static routesor dynamic BorderGateway Protocol (BGP)peering and routingpoliciesNetwork latency,variability, andavailability aredependent on internetconditionsCustomer managedendpoint is responsiblefor implementingredundancy and failover(if required)Customer device mustsupport single-hop BGP(when leveraging BGPfor dynamic routing)the section called AWS DirectConnect (p.)
9 21)Dedicated networkconnection over privatelinesMore predictablenetwork performanceReduced bandwidthcosts1 or 10 Gbpsprovisioned connectionsSupports BGP peeringand routing policiesMay require additionaltelecom and hostingprovider relationshipsor new network circuitsto be provisionedthe section called AWSD irect Connect PlusVPN (p. 8)IPsec VPN connectionover Private linesSame as the previousoption with theaddition of a secureIPsec VPN connectionSame as the previousoption with a littleadditional VPNcomplexity3 Amazon Virtual Private CloudConnectivity Options AWS WhitepaperAWS Managed VPNO ptionUse CaseAdvantagesLimitationsthe sectioncalled AWS VPNC loudHub (p. 9)Connect remote branchoffices in a hub-and-spoke model forprimary or backupconnectivityReuse existing internetconnections and AWSVPN connections (forexample, use AWS VPNC loudHub as backupconnectivity to a third-party MPLS network)AWS managed virtualprivate gatewayincludes multi-datacenter redundancy andautomated failoverSupports BGP forexchanging routesand routing priorities(for example, preferMPLS connectionsover backup AWS VPNconnections)Network latency,variability, andavailability aredependent on theinternetUser managed branchoffice endpointsare responsiblefor implementingredundancy and failover(if required)the sectioncalled SoftwareVPN (p.
10 11)Software appliance-based VPN connectionover the internetSupports a widerarray of VPN vendors,products, and protocolsFully customer-managed solutionCustomer is responsiblefor implementingHA (high availability)solutions for all VPNendpoints (if required)the section called Transit VPC (p. 12)Software appliance-based VPN connectionwith hub VPCAWS managed IPsecVPN connection forspoke VPC connectionSame as the previousoption with theaddition of AWSmanaged VPNconnection betweenhub and spoke VPCsSame as the previoussectionAWS Managed VPNA mazon VPC provides the option of creating an IPsec VPN connection between remote customernetworks and their Amazon VPC over the internet, as shown in the following figure. Consider taking thisapproach when you want to take advantage of an AWS managed VPN endpoint that includes automatedmulti data center redundancy and failover built into the AWS side of the VPN connection.
